[Samba] samba4 : [kerberos part kinit work but no kpasswd
MARTIN boris
martin-boris at wanadoo.fr
Fri May 9 02:01:55 MDT 2014
hi,
i have recently installed a samba 4 in a DC role.
The distribution is a debian jessie/sid, the version of samba is 4.1.7.
The server is globally working but there is some litle trouble.
on the server itself, i can do a kinit without probleme but if i try a kpasswsd, i obtain the following
root at station:/var/log/samba# kinit
Password for administrator at TOTO.FR:
root at station:/var/log/samba# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at TOTO.FR
Valid starting Expires Service principal
09/05/2014 09:23:42 09/05/2014 19:23:42 krbtgt/TOTO.FR at TOTO.FR
renew until 10/05/2014 09:23:38
root at station:/var/log/samba# kpasswd
[10 sec later ....]
kpasswd: Cannot contact any KDC for requested realm getting initial ticket
the smb.conf file is the following :
[global]
workgroup = TOTO
realm = TOTO.FR
netbios name = station
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns
idmap_ldb:use rfc2307 = yes
dns forwarder = 129.20.128.39
allow dns updates = nonsecure
# winbind rpc only = yes
log level = 4
ntp signd socket directory = /var/lib/samba/ntp_signd
[netlogon]
path = /var/lib/samba/sysvol/ietr.univ-rennes1.fr/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[demo]
path = /share/demo
read only = no
and the krb5.conf is the following :
[logging]
default = FILE:/var/log/krb5.log
[libdefaults]
default_realm = TOTO.FR
dns_lookup_realm = false
dns_lookup_kdc = true
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
permitted_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:v4 des3-hmac-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
IETR.UNIV-RENNES1.FR = {
kdc = admin.toto.fr:88
admin_server = admin.toto.fr
}
...
[domain_realm]
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
.media.mit.edu = MEDIA-LAB.MIT.EDU
media.mit.edu = MEDIA-LAB.MIT.EDU
.csail.mit.edu = CSAIL.MIT.EDU
csail.mit.edu = CSAIL.MIT.EDU
.whoi.edu = ATHENA.MIT.EDU
whoi.edu = ATHENA.MIT.EDU
.stanford.edu = stanford.edu
.slac.stanford.edu = SLAC.STANFORD.EDU
.toronto.edu = UTORONTO.CA
.utoronto.ca = UTORONTO.CA
.toto.fr= TOTO.FR
[login]
krb4_convert = true
krb4_get_tickets = false
the tcp dump for a failed attempt of kpasswd give the folllowing :
client -> station Kerberos AS-REQ
MSG Type : AS-REQ(10)
Server Name(principal): kadmin/changepw
Encryption type rc4-hmac
station-> client BER Error : Empty choice was found ...
and the log on the server side gives
Kerberos: Failed to decrypt PA-DATA -- client$@TOTO.FR (enctype
arcfour-hmac-md5) error Decrypt integrity check failed
Kerberos: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
it seems to me like a crypting negociation failure between the client and the server, all the enctypes line in the krb5.conf was not there initialy and are a (fail) attempt to fix the trouble.
So my questions are :
- is there any way for me to know what kind of encoding samba4/kerberos expect on the server side ?
- what is the location of the credential for all the user on the server side ? are they stored in the ldap part of samba4 ?
- does any one see what i can do to fix this mess ?
best regards
More information about the samba
mailing list